bvstone

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

Posted:

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

UPDATE: IBM Has Issued PTFs That May Solve This Issue:

The following PTFs have been issued that should solve this issue.  The previously listed PTFs didn't seem to solve the issue.  But as of 2/10/2022 these have been tested by myself and seem to work:

7.3 - MF69527
7.4 - MF69523

SSL/TLS Handshake Errors

Recently IBM i users (and myself) that use applications that communicate over SSL/TLS with sockets (such as GETURI, MAILTOOL, G4G, G4MS, HTTPAPI, etc) have run into some communication issues.  The two errors errors in question are:

  • Error performing SSL Handshake.  RC(-11) or RC(-16) PeerCertRC(0) - For the base IBM SSL APIs

  • Error performing SSL handshake.  RC(415) errno(0) - When using the GSKit SSL APIs

This error is random and most of the time is resolved by making the request again.  We understand this solution isn't ideal and have been trying to work with IBM to find a proper solution.

I did open a case with IBM (as have others regarding the same issue) but we were unable to find the issue's main cause. Although with some trial and error we were able to find a couple solutions that did work for most endpoints for the time being.

I also started a conversation on Stack Overflow and have received one reply that may help us down the right path.  It makes sense if Google says a cipher isn't compatible that it would cause problems, but again I don't know why Google wouldn't just ignore that cipher as there are normally many more to choose from in the SSL handshake negotiation.

Solution 1: Remove *TLSV1.3 from system value QSSLPCL

This solution seemed to solve the problem for myself, although I didn't perform as many tests as the other options.  For some shops this is not an option for security reasons, but if it is, give it a try to see if it helps.  I don't know of any endpoints that require only TLS v1.3 at this time, but that may not be the case for you.

Solution 2: Remove Specific SSL Ciphers From System Value QSSLCSL

The following ciphers were removed the from the system cipher list (system value QSSLCSL) after changing system value QSSLCSLCTL to *USRDFN.

  • *ECDHE_RSA_AES_256_GCM_SHA384 -  this one seems to cause problems with Google/GMail and Microsoft/Office 365.

  • *AES_256_GCM_SHA384 - this one seems to cause problems with GoDaddy.  

Your situation may be a different cipher.  I have another customer now getting this error communicating with a server using a new Amazon root CA.  So, it's important to open a call with IBM when you have this problem so they can do a trace and hopefully find out which cipher may be an issue, or possibly find a real answer/solution to this problem.

No IPL is required after making any of these changes.       

After removing these ciphers from my system cipher list, all of the errors I was experiencing stopped.  In your case, it could be a different Cipher that is causing the problem depending on the endpoint that is having the issue.  Removing these ciphers should not cause any issues with other applications, and in fact on the Stack Overflow post I made someone actually commented that the one of the ciphers isn't compatible.

Final Actions:

Step 1: Contact IBM support and let them know you're having this issue.  The more people that contact them, the more they hopefully will be willing to dig deeper into the issue or issue a PTF that removes specific ciphers that seem to be causing the problem from the *OPSYS SSL cipher list for the QSSLCSLCTL system value.  I suspect that as time goes on more vendors, and even IBM themselves, will encounter this issue making it even more critical to fix.

Step 2: Try removing the specific ciphers from the SSL list mentioned above.  This completely resolved the issue for me.  I know that sometimes this type of thing can make you wonder if something else will break, but it is most likely what IBM will suggest as well.

Step 3: Make sure you have the latest version of MAILTOOL installed.  We have added a "retry" option to MAILTOOL if this specific error occurs.

Step 4: For GETURI, and the GreenTools products, you may need to add retries to your code as well when this specific error occurs.

Step 5:  If you learn any information that may help, I have opened a question on Stack Overflow that I am hoping if the right eyes see it, we'll get an answer.  If you have any friends at Google, Microsoft, or GoDaddy, myself and IBM are willing to work with them to figure out the issue.

Thank you, and we apologize for the inconvenience this issue may have caused.


 


Last edited 02/11/2022 at 07:55:58




Reply




Copyright 1983-2024 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).